Re: [squid-users] Windows Messenger through Squid
On 05/11/10 02:19, gsand...@aol.com wrote: Hi, I'm trying to setup a Squid server (Centos 5.5, Squid 2.6-STABLE21, x64) to help my users to connect to Windows Live (as well as to provide navigation). They _must_ use Windows Messenger (4.x, 5.x - the ones shipped by default with Windows XP). The Windows Messenger app login successfully (if you enter a wrong username/passw combination it refuses to connect) but cannot complete the sign in process, displaying (almost indefinitely "Singing in..."). Looking in access.log, I only see: 1288735315.171 6858 172.22.8.202 TCP_MISS/200 8272 CONNECT login.live.com:443 - DIRECT/65.54.186.17 - And then (many times, actually!): 1288735321.511 2048 172.22.8.202 TCP_MISS/200 1539 POST http://64.4.44.76/gateway/gateway.dll? - DIRECT/64.4.44.76 application/x-msn-messenger I tried using Windows Live Messenger (2009) and it worked perfectly. I even tried using an ISA Server 2006 with Windows Messenger (5.x) and it worked as well. I don't have yet any special/tricky ACL, only "http_access allow all" to avoid confusions. Does anybody has a similar setup (squid + windows messenger) ? Any help is appreciated. Do you have "balance_on_multiple_ip" set to off? It needs to be. The problems may be this: security keys validation sent via CONNECT ... DIRECT/65.54.186.17 login actually performed via POST to ... DIRECT/64.4.44.76 An edcated guess is that the Live software uses HTTP/1.1 and persistent connections. Why do you have this strict MUST requirement on using very old versions? Part of the problem may also be that the Live servers refuse login from old releases with known remote-access security vulnerabilities. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.2
Re: [squid-users] help with simple web cache configuration
On 05/11/10 13:45, Nick Rathke wrote: Hi, I have been trying various configuration combination for days and reading the FAQ and the configuration documentation trying to get a basic web cache to work without much luck. I have a department web site that I need to cache on some local systems, I need to cache as much as possible to limit the bandwidth use. 90% of the content is video .mov | .mp4 | .jpg files that loop in a sequence of and over again which is why I don't want to have them download each time they play. There is also a live RSS feed in the page the does need to refresh all the time. The caching properties of these types of files is best set by the web server producing them. Squid can only play with the details is gets given. It can't make up completely new ones in any safe way. I have included my configuration that I have now. The web "clients" are running openSUSE with squid 2.7.STABLE6-6.1 ??? confusion. You are talking above and below about *a* proxy with problems. The nature of "clients" is not relevant. Do you mean a linkage of: clients-> proxy with problems -> server or: multiple proxies with same problems -> server ? > from a 4GB USB drive that has about 800GB free, systems have 1GB or RAM ( which I have not gone to go above 30% used ). The store log seems to show media files with a "SWAPOUT" but when I look at the network activity it looks like firefox is still down loading them. The RSS is not update and is being cached ( which it shouldn't be ) Then the .mov file startes play the store state seems to move to "RELEASE" I have yet to see a working RSS feed which permits caching for longer than a small amount of minutes. Most RSS can safely be cached for a few seconds to limit flooding. You can plug public URLs into redbot.org to get a report of what a proxy will do and why. Any problems detected there need to be fxed at the source web server. Local proxy fixes will leave great amounts of invisible-to-you breakage for real visitors. Assuming it is a 2.7 config there is nothing badly wrong about it. reply_body_max_size 0 allow all Remove the "allow all" part of the above line. In 2.x the ACL are not supported. This limit applies globally. Your maximum stored object size of 256 MB may affect some of the videos being stored. The problem is more likely to be no-store/no-cache or bad timestamps being sent by the web server though. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.2
Re: [squid-users] client_side_request.cc messages in cache.log
On 05/11/10 05:23, donovan jeffrey j wrote: I On Nov 4, 2010, at 12:09 PM, Dean Weimer wrote: I just setup a new site through my reverse proxy running Squid 3.1.9, and though it's working fine, I am receiving the follow message every time an url on the new site is accessed. 010/11/04 10:39:32| client_side_request.cc(1047) clientRedirectDone: redirecting body_pipe 0x8016a1e38*1 from request 0x802637800 to 0x802242000 The url in question is an HTTPS url, and is passed through a self written url rewrite program (written in Python), I have verified that the processes are not crashing or causing any internal errors when rewriting this url. The application is a vendor provided ASP.net application running on IIS 6.0. So far it's only available to internal users, for testing so there isn't a heavy load for this url on the proxy yet. There isn't any perceivable difference in performance between the reverse proxy and accessing the site directly (Though I wouldn't expect to see the performance advantages of Squid with the currently load on the backend server being next to nothing at this point), so whatever is causing the error doesn't seem to be affecting performance. I am concerned that this message may be a sign of a more major problem when the server gets placed under a larger load. Thanks, Dean Weimer I am seeing the same things ,I think it's normal behavior but im not sure either. 2010/11/04 12:19:12| client_side_request.cc(1047) clientRedirectDone: redirecting body_pipe 0xcc167c0*2 from request 0x96c400 to 0xa326a00 2010/11/04 12:19:15| client_side_request.cc(1047) clientRedirectDone: redirecting body_pipe 0x140dbb70*1 from request 0x3dc5c00 to 0x2cd6c00 2010/11/04 12:19:43| client_side_request.cc(1047) clientRedirectDone: redirecting body_pipe 0x1b8b350*1 from request 0xa3b4000 to 0x314 -j At first glance it seems to be a debug message which has been left at the wrong priority. It indicates that the connection was URL re-written instead of HTTP redirected. It should be noted that re-writing the HTTPS / CONNECT request URL is a very dangerous activity. It will result directly in the client connecting and sending SSL credentials to a server it was not intending to contact at all. The safe way to do it is with a true HTTP redirect via the 302:/303:/307: status code. Unfortunately some browsers dont like these, so transition to correct usage needs to be done with care. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.2
[squid-users] help with simple web cache configuration
Hi, I have been trying various configuration combination for days and reading the FAQ and the configuration documentation trying to get a basic web cache to work without much luck. I have a department web site that I need to cache on some local systems, I need to cache as much as possible to limit the bandwidth use. 90% of the content is video .mov | .mp4 | .jpg files that loop in a sequence of and over again which is why I don't want to have them download each time they play. There is also a live RSS feed in the page the does need to refresh all the time. I have included my configuration that I have now. The web "clients" are running openSUSE with squid 2.7.STABLE6-6.1 from a 4GB USB drive that has about 800GB free, systems have 1GB or RAM ( which I have not gone to go above 30% used ). The store log seems to show media files with a "SWAPOUT" but when I look at the network activity it looks like firefox is still down loading them. The RSS is not update and is being cached ( which it shouldn't be ) Then the .mov file startes play the store state seems to move to "RELEASE" Hopefully someone can help. -Nick Most of this should be default... authenticate_cache_garbage_interval 1 hour acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl localnet src 10.0.0.0/8 acl localnet src 172.16.0.0/12 acl localnet src 192.168.0.0/16 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9] acl apache rep_header Server ^Apache broken_vary_encoding allow apache access_log /var/log/squid/access.log squid http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny all icp_access allow localnet icp_access deny all reply_body_max_size 0 allow all http_port 3128 hierarchy_stoplist cgi-bin ? cache_mem 512 MB memory_replacement_policy lru cache_replacement_policy heap LFUDA cache_dir ufs /var/cache/squid 512 16 256 store_dir_select_algorithm least-load max_open_disk_fds 0 minimum_object_size 0 KB maximum_object_size 256 MB cache_swap_low 90 cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log emulate_httpd_log off netdb_filename /var/log/squid/netdb.state ftp_passive on max_stale 3 day refresh_pattern ^ftp: 1440 20 10080 refresh_pattern ^gopher: 1440 0 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0 0 refresh_pattern . 1440 50 10080 minimum_expiry_time 14400 seconds store_avg_object_size 10 MB refresh_stale_hit 120 seconds connect_timeout 2 minutes client_lifetime 1 days cache_mgr webmaster cache_swap_high 90
[squid-users] Re: squid_kerb_ldap multiple groups and granular http_access rules
Will all 3 groups have the same rights ? Or do you want to block some users and others not. Markus "Roy Anciso" wrote in message news:aanlktikjgqwiztr3ubnk-kfg-thjxerg0jg7okr2m...@mail.gmail.com... Hello, I know with squid_kerb_ldap you can list multiple groups using a colon - group1:group2. However when i try to define http access rules for specific groups I can't seem to get the acl right. At this point in time I have separate external acls for each group to make this work (see below). My question is - is there a better way to do this without so many external acls defined? Thanks external_acl_type kerbldapwebstaff ttl=3600 %LOGIN /usr/local/bin/squid_kerb_ldap -i -d -g webst...@maps.misd.local external_acl_type kerbldapweballow ttl=3600 %LOGIN /usr/local/bin/squid_kerb_ldap -i -d -g webal...@maps.misd.local external_acl_type kerbldapwebdeny ttl=3600 %LOGIN /usr/local/bin/squid_kerb_ldap -i -d -g webd...@maps.misd.local acl kerb_group_webstaff external kerbldapwebstaff acl kerb_group_weballow external kerbldapweballow acl kerb_group_webdeny external kerbldapwebdeny http_access allow kerb_group_webstaff http_access allow kerb_group_weballow http_access allow kerb_group_webdeny -- Roy Anciso Director of Technology Manistee Intermediate School District 772 East Parkdale Avenue Manistee, MI 49660 Ph: 231-723-4264 Fx: 231-398-3036 r...@manistee.org
[squid-users] squid_kerb_ldap multiple groups and granular http_access rules
Hello, I know with squid_kerb_ldap you can list multiple groups using a colon - group1:group2. However when i try to define http access rules for specific groups I can't seem to get the acl right. At this point in time I have separate external acls for each group to make this work (see below). My question is - is there a better way to do this without so many external acls defined? Thanks external_acl_type kerbldapwebstaff ttl=3600 %LOGIN /usr/local/bin/squid_kerb_ldap -i -d -g webst...@maps.misd.local external_acl_type kerbldapweballow ttl=3600 %LOGIN /usr/local/bin/squid_kerb_ldap -i -d -g webal...@maps.misd.local external_acl_type kerbldapwebdeny ttl=3600 %LOGIN /usr/local/bin/squid_kerb_ldap -i -d -g webd...@maps.misd.local acl kerb_group_webstaff external kerbldapwebstaff acl kerb_group_weballow external kerbldapweballow acl kerb_group_webdeny external kerbldapwebdeny http_access allow kerb_group_webstaff http_access allow kerb_group_weballow http_access allow kerb_group_webdeny -- Roy Anciso Director of Technology Manistee Intermediate School District 772 East Parkdale Avenue Manistee, MI 49660 Ph: 231-723-4264 Fx: 231-398-3036 r...@manistee.org
Re: [squid-users] client_side_request.cc messages in cache.log
I On Nov 4, 2010, at 12:09 PM, Dean Weimer wrote: > I just setup a new site through my reverse proxy running Squid 3.1.9, and > though it's working fine, I am receiving the follow message every time an url > on the new site is accessed. > > 010/11/04 10:39:32| client_side_request.cc(1047) clientRedirectDone: > redirecting body_pipe 0x8016a1e38*1 from request 0x802637800 to 0x802242000 > > The url in question is an HTTPS url, and is passed through a self written url > rewrite program (written in Python), I have verified that the processes are > not crashing or causing any internal errors when rewriting this url. The > application is a vendor provided ASP.net application running on IIS 6.0. So > far it's only available to internal users, for testing so there isn't a heavy > load for this url on the proxy yet. There isn't any perceivable difference > in performance between the reverse proxy and accessing the site directly > (Though I wouldn't expect to see the performance advantages of Squid with the > currently load on the backend server being next to nothing at this point), so > whatever is causing the error doesn't seem to be affecting performance. > > I am concerned that this message may be a sign of a more major problem when > the server gets placed under a larger load. > > Thanks, > Dean Weimer I am seeing the same things ,I think it's normal behavior but im not sure either. 2010/11/04 12:19:12| client_side_request.cc(1047) clientRedirectDone: redirecting body_pipe 0xcc167c0*2 from request 0x96c400 to 0xa326a00 2010/11/04 12:19:15| client_side_request.cc(1047) clientRedirectDone: redirecting body_pipe 0x140dbb70*1 from request 0x3dc5c00 to 0x2cd6c00 2010/11/04 12:19:43| client_side_request.cc(1047) clientRedirectDone: redirecting body_pipe 0x1b8b350*1 from request 0xa3b4000 to 0x314 -j
[squid-users] client_side_request.cc messages in cache.log
I just setup a new site through my reverse proxy running Squid 3.1.9, and though it's working fine, I am receiving the follow message every time an url on the new site is accessed. 010/11/04 10:39:32| client_side_request.cc(1047) clientRedirectDone: redirecting body_pipe 0x8016a1e38*1 from request 0x802637800 to 0x802242000 The url in question is an HTTPS url, and is passed through a self written url rewrite program (written in Python), I have verified that the processes are not crashing or causing any internal errors when rewriting this url. The application is a vendor provided ASP.net application running on IIS 6.0. So far it's only available to internal users, for testing so there isn't a heavy load for this url on the proxy yet. There isn't any perceivable difference in performance between the reverse proxy and accessing the site directly (Though I wouldn't expect to see the performance advantages of Squid with the currently load on the backend server being next to nothing at this point), so whatever is causing the error doesn't seem to be affecting performance. I am concerned that this message may be a sign of a more major problem when the server gets placed under a larger load. Thanks, Dean Weimer Network Administrator Orscheln Management Co
[squid-users] Windows Messenger through Squid
Hi, I'm trying to setup a Squid server (Centos 5.5, Squid 2.6-STABLE21, x64) to help my users to connect to Windows Live (as well as to provide navigation). They _must_ use Windows Messenger (4.x, 5.x - the ones shipped by default with Windows XP). The Windows Messenger app login successfully (if you enter a wrong username/passw combination it refuses to connect) but cannot complete the sign in process, displaying (almost indefinitely "Singing in..."). Looking in access.log, I only see: 1288735315.171 6858 172.22.8.202 TCP_MISS/200 8272 CONNECT login.live.com:443 - DIRECT/65.54.186.17 - And then (many times, actually!): 1288735321.511 2048 172.22.8.202 TCP_MISS/200 1539 POST http://64.4.44.76/gateway/gateway.dll? - DIRECT/64.4.44.76 application/x-msn-messenger I tried using Windows Live Messenger (2009) and it worked perfectly. I even tried using an ISA Server 2006 with Windows Messenger (5.x) and it worked as well. I don't have yet any special/tricky ACL, only "http_access allow all" to avoid confusions. Does anybody has a similar setup (squid + windows messenger) ? Any help is appreciated.
